[nsd-users] SIGSEGV in rbtree_find_less_equal

Jeroen Koekkoek jeroen at nlnetlabs.nl
Wed Oct 23 12:13:17 UTC 2024 

Hi Chris,

I've merged the commit that resolves the issue
(https://github.com/NLnetLabs/nsd/pull/389). The next release will
include it. Thanks again for reporting.

Also, a statement in my previous response was incorrect.

RFC 5155 says:
Each empty non-terminal MUST have a corresponding NSEC3 RR, unless the
empty non-terminal is only derived from an insecure delegation covered
by an Opt-Out NSEC3 RR.

Best regards,
Jeroen


On Wed, 2024-10-16 at 14:30 +0000, Chris LaVallee wrote:
> 
> Hi Jeroen,
> 
> 
> In the case that triggered this crash for us, someone typo-ed
> nsd.conf by adding the zone "bar.foo.com" (which didn't exist). They
> meant to add a different zone name.
> 
> 
> Chris
> From: Jeroen Koekkoek <jeroen at nlnetlabs.nl>
> Sent: Wednesday, October 16, 2024 3:18 AM
> To: Chris LaVallee <clavallee at edg.io>; nsd-users at lists.nlnetlabs.nl
> <nsd-users at lists.nlnetlabs.nl>
> Subject: Re: [nsd-users] SIGSEGV in rbtree_find_less_equal
> 
>  
> 
> 
> Hi Chris,
> 
> I've properly started looking into this yesterday. NSD definitely
> shouldn't crash, still working on that.
> 
> However, the provided zone is invalid too(?) I'm not the foremost
> expert on NSEC3 (or even DNSSEC), but is seems an NSEC3 is missing
> for
> bar.foo.com. Empty non-terminals should still have an NSEC3 RR.
> 
> (Of course, the delegation point should be at bar.foo.com. too and
> a.bar.foo.com. is an occluded name and this situation is purely
> hypothetical).
> 
> I used the attached zone file along with the following commands to
> generate a zone file to The input I used to generate:
> 
> ldns-keygen -a 13 -k foo.com
> dnssec-signzone -3 AA61D5A398769C09 -H 0 -S -A -z -o foo.com.
> foo.com.zone Kfoo.com.+013+58636
> 
> Doesn't get me the exact the same thing, but good enough to get the
> same segfault.
> 
> - Jeroen
> 
> 
> On Wed, 2024-10-09 at 13:53 +0200, Jeroen Koekkoek via nsd-users
> wrote:
> > Hi Chris,
> > 
> > I can reproduce with your zone. Thanks!
> > 
> > Best,
> > Jeroen
> > 
> > 
> > On Tue, 2024-10-08 at 14:07 +0000, Chris LaVallee wrote:
> > > 
> > > Hi Jeroen,
> > > 
> > > 
> > > Attached is the zone I used. Did you add the record for a.bar ?
> > > 
> > > 
> > > Ex:
> > > 
> > > 
> > > a.bar   300     IN  NS      ns.somewhere.net.
> > > 
> > > 
> > > Chris
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > From: Jeroen Koekkoek <jeroen at nlnetlabs.nl>
> > > Sent: Tuesday, October 8, 2024 5:33 AM
> > > To: Chris LaVallee <clavallee at edg.io>;
> > > nsd-users at lists.nlnetlabs.nl
> > > <nsd-users at lists.nlnetlabs.nl>
> > > Subject: Re: [nsd-users] SIGSEGV in rbtree_find_less_equal
> > > 
> > >  
> > > 
> > > 
> > > Hi Chris,
> > > 
> > > I'm having trouble trying to reproduce the issue locally.
> > > 
> > > Like you I configure two zones.
> > > 
> > > zone:
> > >   name: example.com.
> > >   zonefile: example.com.zone.signed
> > > 
> > > zone:
> > >   name: bar.example.com.
> > >   zonefile: bar.example.com.zone
> > > 
> > > The file bar.example.com.zone does not exist. After touching and
> > > reloading the signed zone, no segfault occurs. I've tried with
> > > and
> > > without the "--disable-radix-tree" configure option (as the error
> > > occurs in the rbtree). I've also tried with example.com. being an
> > > NSEC
> > > and NSEC3 zone.
> > > 
> > > Can you provide some more details?
> > > 
> > > Best regards,
> > > Jeroen
> > > 
> > > 
> > > 
> > > 
> > > On Wed, 2024-10-02 at 14:57 +0000, Chris LaVallee via nsd-users
> > > wrote:
> > > > 
> > > > Hi,
> > > > 
> > > > 
> > > > I found a reproducible seg fault with a DNSSEC signed zone and
> > > > overlapping config. I'm running NSD 4.10.1. Here's how to
> > > > reproduce.
> > > > 
> > > > 
> > > > 2 zones in nsd.conf:
> > > > 
> > > > 
> > > > zone:
> > > >         name:     "foo.com."
> > > >         zonefile:     "/zones/foo.com.zone.signed"
> > > > 
> > > > 
> > > > zone:
> > > >         name:     "bar.foo.com."
> > > >         zonefile: "/zones/bar.foo.com.zone"
> > > > 
> > > > 
> > > > 
> > > > 
> > > > Zone files:
> > > > 
> > > > 
> > > > foo.com.zone.signed is DNSSEC signed with a record for a.bar (A
> > > > record or anything)
> > > > bar.foo.com.zone doesn't exist  (but it's in nsd.conf shown
> > > > above)
> > > > 
> > > > 
> > > > 
> > > > 
> > > > Steps:
> > > > 1) Startup NSD
> > > > 2) touch foo.com.zone.signed
> > > > 3) reload NSD
> > > > 
> > > > 
> > > > 
> > > > 
> > > > nsd.log will say:
> > > > [2024-10-02 07:19:58.691] nsd[962739]: info: control cmd:
> > > >  reload
> > > > [2024-10-02 07:19:58.845] nsd[962752]: error:
> > > > handle_reload_cmd:
> > > > reload closed cmd channel
> > > > [2024-10-02 07:19:58.845] nsd[962752]: warning: Reload process
> > > > 962740
> > > > failed, continuing with old database
> > > > 
> > > > 
> > > > core dump says SIGSEGV in rbtree_find_less_equal
> > > > 
> > > > 
> > > > 
> > > > 
> > > > Chris LaVallee
> > > > Edgio (formally EdgeCast Networks)
> > > > 
> > > > 
> > > > 
> > > > 
> > > > _______________________________________________
> > > > nsd-users mailing list
> > > > nsd-users at lists.nlnetlabs.nl
> > > > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
> > > 
> > 
> > _______________________________________________
> > nsd-users mailing list
> > nsd-users at lists.nlnetlabs.nl
> > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
>

More information about the nsd-users mailing list